A recent escalation in cyberattacks has put financial firms across the globe on high alert, as malicious actors increasingly deploy PXA Stealer, a potent information-stealing malware. This development follows the dismantling of several significant infostealer operations, such as Lumma, Rhadamanthys, and RedLine, by law enforcement in 2025. As these platforms have been shut down, PXA Stealer has emerged to fill the void, with experts noting an 8 to 10 percent increase in its activity during the first quarter of 2026.
Methods and Tools of PXA Stealer
The attackers use phishing emails that include malicious URLs, prompting victims to download ZIP files laden with concealed malware. This strategy employs a wide array of fake documents like job applications, Adobe Photoshop installers, tax documents, and legal forms, which are designed to target employees across different departments of financial institutions. This varied approach complicates efforts to defend against the threat using uniform email filters.
CyberProof analysts have documented this trend, focusing on a specific campaign cluster linked to a bot identifier known as “Verymuchxbot.” This campaign exhibits several differences from previously reported PXA Stealer activities observed in August 2025. By analyzing the entire attack sequence, the team has effectively mapped out the malware’s path from the initial phishing email to the final data exfiltration.
Impact on Financial Institutions
PXA Stealer is designed to surreptitiously gather browser credentials, stored passwords, and cryptocurrency wallet information from compromised systems. Once collected, this data is transmitted to attackers via Telegram channels, a method that helps the malware evade detection. Additionally, the malware creates a registry entry to maintain persistence, allowing attackers continuous access even after system reboots.
This campaign’s distinctiveness lies in its ability to blend seamlessly with routine system activities. By utilizing legitimate Windows utilities and renaming files to resemble trusted processes, the attackers significantly reduce the likelihood of detection. As PXA Stealer’s reach grows, financial organizations face an escalating threat to their sensitive data.
Understanding the Infection Process
The attack initiates when an unsuspecting user downloads a ZIP file named Pumaproject.zip from the domain downloadtheproject[.]xyz. Inside this archive, a file named Document.docx.exe masquerades as a benign Word document. Execution of this file triggers the malware, which extracts a Python interpreter, various Python libraries, and harmful scripts, all stored in a concealed folder named “Dots.”
Within the “Dots” folder, attackers place a legitimate WinRar binary renamed as picture.png and an encrypted archive disguised as Shodan.pdf. The certutil Windows tool decodes this archive, and the WinRar binary extracts its contents using the password “shodan2201.” The extracted files are placed in C:UsersPublicWindowsSecure, with the Python interpreter renamed to svchost.exe to mimic a trusted Windows process.
A heavily obfuscated Python script, appearing as images.png, is then executed with the $BOT_ID argument pointing to “Verymuchxbot.” This script intercepts credentials and cryptocurrency wallet data during browser sessions. The stolen data is ultimately sent via Telegram to attacker-controlled channels, emphasizing the importance for security teams to monitor emails for suspicious URLs and attachments. Blocking outbound connections to certain top-level domains and auditing traffic to messaging apps like Telegram are crucial measures to prevent unauthorized data transfers.
Security teams are advised to treat EDR alerts for process injection with urgency and to keep CTI feeds and threat hunting queries updated to preemptively identify and mitigate emerging infostealer threats.
